How to Prepare Patient Records for a Court Order in Your Healthcare Practice

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

You are working at the reception desk of a healthcare practice. Suddenly, there is a police officer giving you a court order! Do you know how to prepare patient records for a court order?

panic button

Don’t Panic!

Take a deep breath. Then, follow these steps to help you to respond to a request for patient records for a court order with confidence!

Listen to the Design Your Practice Podcast with Kayla Das!

Episode 76: How to Prepare Client Records for a Court Order with Jean Eaton

 
designer practice podcast logo court order

Listen to the Podcast Here

You can also find the podcast on Apple Podcast, Spotify, and YouTube. Simply search for “Designer Practice Podcast” on your preferred platform.

 

Follow These Steps

In this article, I am not discussing a situation which relates to a life-threatening situation that requires an immediate response. I am also not discussing when the order relates to the type or quality of healthcare provided to the patient or when the actions of the healthcare provider or clinic is being challenged or reviewed. These are topics for a different article.

Your reception staff should not accept the court order but, instead, immediately ask the officer to wait for a few minutes so that they can request their supervisor or privacy officer meet with them.

When the court order is an administrative request for information, the supervisor or privacy officer will accept the court order from the officer. Before the officer leaves, make sure that you read the court order carefully and ensure:

  • Who is named in the court order.
    • This is often the clinic manager of the clinic. Your clinic should be specifically named or, perhaps, the name of your lead physician or healthcare provider.
  • Record the date and time that you received the order.
  • Clarify when the response is required.
  • Name and contact information.
    • This could be of the officer that delivered the court order (if possible).
    • At minimum, it should include the contact information of the court, for example, the court clerk’s office or the witness co-ordinator, or the sheriff’s office.
  • The province or jurisdiction of the court.
  • In general, this should be the same province where your clinic operates. If not, contact your lawyer for advice on how to respond.

Review Your Policies and Procedures

This is not a routine request from a patient to access their health records or a request to disclose their records to a third party like a lawyer or insurance company. In those routine requests, patients are generally required to provide a written, signed consent before you can disclose their records.

When you receive a court order or subpoena to produce patient records at a court or other legal proceeding, you are not required to get a signed consent from the patient.

Each healthcare practice should have detailed policies and procedures on how to prepare patient records for a court order. Review these now.

If you don’t have up-to-date policies and procedures, see the Practice Management Success Tip, How to Prepare Patient Records for a Court Order.

Validate the Court Order

Read the court order carefully. In particular,

  • Phone the contact number on the court order.
  • Confirm the date, time, and location that you are required to appear.

Locate the Patient Record

Find the patient information maintained in an electronic database, electronic medical record (EMR) and/or paper records. Remember to look for both active and inactive patient records as needed by the court order.

Read the patient record carefully, line by line, to ensure that the record is complete. For example, make sure that all lab reports, prescriptions, consultation notes, etc. are included in the record.

Secure the record to prevent snooping or modification to the record. Also ensure that the record is available for continuing care and treatment of the patient, if needed.

In an electronic record, prepare an audit log of all the transactions on that patients’ chart.

Ensure there is no duplicate or second chart for the patient that may have been created in error. Search by alternate names, spellings, date of birth, etc.

Ensure that each custodian included in the patients’ care and your healthcare practice’s privacy officer is informed of the court order to produce the record. The custodian should be provided an opportunity to review their clinic notes. Remind the custodian that they cannot further disclose the patient’s record.

Prepare the Patient Record

Review the court order and identify exactly what information is requested. It might be for specific dates or a condition or treatment.

Keep complete and detailed notes about how you prepared your response to the court order. You will bring your notes with you to court to assist you in your testimony about how your clinic creates and maintains patient records and what you did to respond to the court order. After your court appearance, you will maintain your notes as part of the business records for the clinic.

Collect the information and record each of your steps and your results, including the records that you searched for as well as those that you did not find any results for.

If you maintain your patient records in an electronic medical record (EMR) or digital practice management software, print out a hard copy of all the information that responds to the information that is requested.

Sever (also known as redact or black-line) any information that is not appropriate to include in the disclosure. Cross-reference each redacted entry to the legal authority not to include the information in the disclosure.

illustration of text that has black lines through sections sever or redact part of How to Prepare Patient Records for a Court Order
If you are using an EMR, organize the paper print-out in a format that makes sense. This might be in chronological date order, or by grouping like records (clinic notes, lab results, etc.) together.

Create a ‘Table of Contents’ of the information in the patient record. This will help you in your testimony to quickly find requested information, and to help the court to locate information in the records that you have prepared.

At the same time, handwrite in ink at the bottom of each page the sequential page number in the package. Update the table of contents with the page numbers.

Stamp ‘COPY’ on each page.

When the package is complete, make a photocopy (or two) of the entire package. The ‘original’ paper copy will be maintained at the clinic. Bring the original and the copy to court and ask the court to accept your copy. Return the original package to the clinic and securely maintain this as part of the business records of the clinic until the court file is complete.

When You Attend At Court

As the clinic manager, your role at the court is to tell the court how patient information is collected and maintained in your healthcare practice. Your job is not to interpret the content of the clinic notes.

A few days prior to the court date indicated on the court order, phone the clerk’s office or witness support office to confirm the date, time, and location of the proceedings and if you are still required to attend.

image of 3d figure in a witness box in court raising hand to affirm testimony How to Prepare Patient Records for a Court Order
On the day of the proceedings, report to the clerk of the court.

Bring with you the court order, your photo ID, the patient record, and your notes. Bring a good book to read in case you have a long wait.

You will be advised (again) if you are required that day. If you are not required, the clerk will make a notation on your court order to appear that you attended and that you have been dismissed. Keep this in your business records with the patient record.

If your testimony and the patient records are required, you will be called as a witness during the court proceeding.

You will be asked to swear or affirm an oath to speak honestly during your testimony.

Typical questions that you should be prepared to answer include:

  • Your name.
  • Your role at the clinic, how long you have been in that role, your routine tasks and responsibilities at the clinic.
  • Describe how patient records are maintained. Be prepared to explain your EMR or computer patient management system (if you have one).
  • Bring your notes about the steps that took to prepare for the court order. You may ask permission of the court to refer to your notes that you created when preparing to respond to the court order during your testimony, if necessary.
  • Explain that the patient records are kept electronically and that you have prepared a paper print-out of those notes.
  • Be prepared to explain how you know that the records are complete, not missing any details, etc.
  • If the court asks you to enter the records into evidence, explain that you have an ‘original’ and a ‘copy’ and ask the court to accept the ‘copy’ into evidence.

When You Return to the Clinic

Complete your notes by documenting your day at the court. Write a short summary of your day including:

  • Did you give a copy of the patient records to the court? To whom?
  • Remember to add this notation to the patients’ record that you disclosed this information according to the court order.
  • Any follow-up required for this disclosure?
  • Review your procedures. Anything that you would edit or provide additional instructions that will help you to be better prepared for next time you receive a court order?
  • Submit a copy of your out of pocket expenses (parking receipts, meals, etc.) for re-imbursement by your employer, if applicable.

What You Should Do Now

  1. Review your policies and procedures now to ensure that it includes how to respond to a court order.
  2. Train your reception staff on what to do if they receive a court order.
  3. Train your privacy officer and clinic manager on how to prepare a patient record for a court order.

Depending on where you work, you may receive a court order regularly or it might be a once-in-a-career experience. When you have policies and procedures and a little bit of training to assist you, you can respond to a court order calmly and confidently.

If you are a member of Practice Management Success, login and access the ’Procedure:  Preparing Patient Records for a Court Order’ template and the replay of the tutorial video.
 
image Jean L. Eaton

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Do You Know Where Your Policies And Procedures Are?

Do You Know Where Your Policies And Procedures Are?

Do You Know Where Your Policies and Procedures Are?

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice.

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

 

Don’t let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta’s Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose.

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.

 

Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

  • The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
  • The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
  • The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps.

  1. Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
  2. Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
  3. Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
  4. Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.

Monitor

This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you’ve done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

 

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget’ to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

 

 

References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf

Media Story Reveals Employee Snooping

Media Story Reveals Employee Snooping

Media Story Reveals Employee Snooping

Ontario’s Information and Privacy Commissioner (IPC) opened an investigation into a hospital’s management of employee snooping after three similar privacy breach reports were received from the hospital in 2020 and 2021. The IPC elected to review the privacy breach to ensure that the custodian had adequate safeguards to prevent similar instances.

The investigation found that the hospital had managed the breaches well and no recommendations were required, and findings were published in PHIPA Decision 204.

In this Privacy Breach Nugget series, I will take a look at each of these three incidents as guidance to better respond to a privacy breach in your healthcare practice.

What Happened

A news media story was published containing the names of patients at an Ontario hospital. The hospital Privacy Office initiated an audit which found that a Patient Accounts Clerk had accessed 28 health records without authorized purpose. This snooping is in contravention of the Personal Health Information Protection Act (PHIPA).

Managing the Breach

The Ontario Hospital’s management of the privacy breach can be examined using the 4 Step Response Plan.

4-Step Response Plan

 

 

 

 

 

 

 

 

 

Step 1 – Spot and Stop

The privacy breach was detected by the hospital when the media story aired. The hospital ran a preliminary audit on the health records of those patients named in the story that found suspicious access by an accounts clerk. Once identified, the hospital disabled the clerk’s access to the electronic health record (EHR) system and put them on administrative leave.

Step 2 – Investigate

After identifying the clerk, the hospital initiated second and third audits on their EHR accesses and found 28 patients whose records were accessed without authorized purpose. This is also known as employee snooping. The investigation established that those patients had been deliberately searched for in the EHR system, confirmed with the clerk’s manager that no authorized purpose was given to do so, and that the clerk had previously signed a Statement of Confidentiality and completed privacy and security awareness training.

Step 3 – Notify

The hospital notified those patients affected by the breach by telephone or mail. Under PHIPA s. 12(2), it is mandatory for custodians providing services in Ontario to notify patients whose personal health information has been used or disclosed without consent or authorized purpose.

Notification in this case was delayed for compassionate reasons as some of the health information accessed was from a deceased patient. One patient was not able to be contacted, and a note on their file was made for the registration department to notify the hospital’s Privacy Office the next time the patient registered at the hospital. The patient will be informed of the privacy breach on their return visit to the hospital.

The hospital also notified the IPC of the incident. It is mandatory for a custodian providing services in Ontario to report a privacy breach of personal health information to the IPC (PHIPA regulation s. 6.3 pursuant to PHIPA s. 12.3.)

Step 4 –Prevent the Breach from Happening Again

The hospital considered disciplinary action with the clerk; however, the clerk retired before any actions were taken. Policies and procedures at the hospital were reviewed, and changes made to immediately notify deceased patients’ families of a privacy breach going forward. The hospital’s Privacy Officer will now work closely with the Human Resources department to ensure more consistent investigations.

Commissioner’s Investigation

In the IPC report, the investigation also noted some positive measures taken by the hospital in managing privacy risks:

  • All new staff receive privacy awareness training and sign Statements of Confidentiality. Annual refresher training with new Statements of Confidentiality is mandatory.
  • The hospital’s Privacy Office communicates with staff on privacy issues during a yearly email campaign called Privacy Awareness Week.
  • The hospital’s Privacy Officer holds training sessions when requested or new information is available.
  • The hospital’s EHR system displays a privacy advisory reminder that staff must agree to before accessing information.
  • Policies and procedures are reviewed and amended every three years and when needed.
  • Policies and procedures, and investigation findings are properly documented.
  • As a result of this incident, the hospital outlined a plan to respond to the breaches and the investigation, and to future breaches involving patients who are deceased. These include updating privacy awareness training with examples of snooping similar to those investigated and sending quarterly emails to staff about access without authorized purpose and how to prevent privacy breaches.

Take-Aways

The hospital had pre-existing privacy awareness training and privacy breach management procedures. A review in response to the incident led the hospital to amend their notification procedures for privacy breaches involving deceased patients. Notification to the family will be made immediately in future when breaches involve a deceased patient.

You might need to consider modifying your policies and procedures, too, to include a similar scenario.

Watch for the next article where we share example #2 in IPC Decision 204.

Article submitted by: Aaron Myer

Reference

Ontario Regulation 329/04. Government of Ontario, 2006, https://www.ontario.ca/laws/regulation/040329#BK6. Accessed 9 June 2023.

Personal Health Information Protection Act, 2004. Government of Ontario, 2004, https://www.ontario.ca/laws/statute/04p03. Accessed 9 June 2023.

PHIPA Decision 204. Information and Privacy Commissioner of Ontario, 4 Apr. 2023, https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/521298/1/document.do. Accessed 9 June 2023.